Requirements for Trusted Server Connections

When connecting a Tera2 PCoIP Zero Client to a PCoIP endpoint using a View Connection Server or PCoIP Connection Manager session connection type, the padlock icon and 'https' text on the user login screen indicates whether the HTTPS connection is trusted or untrusted, see Connecting a Session for details.

  • Closed padlock with green 'https' text: The connection is secured with HTTPS and the server’s certificate is trusted by the Tera2 PCoIP Zero Client.
  • Open padlock with red strikethrough 'https:' text: The connection is secured with HTTPS, but the server’s certificate is not trusted by the Tera2 PCoIP Zero Client.

This section explains the certificate requirements that must be in place for each server type in order to have a trusted HTTPS connection. The following tables show which requirements are necessary for each Tera2 PCoIP Zero Client certificate checking mode.

Criteria Applied for Auto Detect Mode

If you use Auto Detect mode to connect, either the View Connection Server or PCoIP Connection Manager criteria are applied, depending on the server type.

View Connection Server Requirements

When connecting to a View Connection Server, the certificate requirements are as follows:

View Connection Server Certificate Requirements

Certificate Requirement Never connect to untrusted servers Warn before connecting to untrusted servers Do not verify server certificates
Valid according to computer clock (not expired and not valid only in the future). Required The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding. Not checked
Certificate subject or a subject alternative name must match the VCS address. Required Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. Not checked
Certificate must have the serverAuth enhanced key usage. Required Required Not checked
Certificate chain of trust must be rooted in device’s local certificate store. Required Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. Not checked
Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate). Required Required Not checked

PCoIP Connection Manager Requirements

When connecting to a PCoIP Connection Manager, the certificate requirements are as follows:

PCoIP Connection Manager Certificate Requirements

Certificate Requirement Never connect to untrusted servers Warn before connecting to untrusted servers Do not verify server certificates
Valid according to computer clock (not expired and not valid only in the future). Required The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding. Not checked
Certificate subject or a subject alternative name must match the VCS address. Required Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. Not checked
Certificate must have the serverAuth enhanced key usage. Required Required Not checked
Certificate chain of trust must be rooted in device’s local certificate store. Required Warn the user when certificate is not trusted. Not checked
Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate). Required Required Not checked